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Report  Summary 


Introduction 


The  Banner  Human  Resource  System  is  made  up  of  many  interactive 
functions  necessary  for  human  resource  administration.   Benefits 
administration,  time  reporting,  and  payroll  calculation  are  examples  of 
some  of  the  functions. 


Disaster  Recovery 


This  audit  evaluated  controls  implemented  by  the  University  over 
Banner  in  selected  areas.   We  reviewed  electronic  access  controls  to 
determine  if  access  privileges  are  granted  according  to  users'  job 
responsibilities.   We  also  evaluated  the  HRS  office's  procedures  for 
recovery  from  a  system  failure  in  relation  to  University  disaster 
recovery  procedures.   The  audit  reviewed  policies  and  procedures  in 
relation  to  payroll  input,  processing,  and  output  controls. 

A  discussion  of  audit  scope  and  background  information  is  included  in 
Chapter  I.   Further  detail  for  the  audit  issues  summarized  below  is 
included  in  Chapter  II.   Overall,  the  Banner  Human  Resource 
System  provides  accurate  processing  results,  based  on  the 
information  input  for  processing.  Banner  accurately  computes 
employee  payroll  and  system  reports  are  reliable.  However,  input 
controls  should  be  improved. 

We  found  that  HRS  has  not  established  internal  procedures  to  maintain 
payroll  operations  in  the  event  that  computing  resources  are  lost. 
Without  recovery  procedures,  the  University  may  be  unable  to  process 
payroll  within  required  time  frames  following  loss  of  computer 
resources. 

Prior  EDP  audit  93DP-38  and  follow-up  audit  96DP-03  have 
recommended  the  University  establish  disaster  recovery  procedures 
and  that  the  Board  of  Regents  establish  formal  policies  for 
safeguarding  information  technology  resources  in  accordance  with 
section  20-25-301(16),  MCA.  These  recommendations  are  not 
implemented.  Therefore,  the  HRS  office  should  establish  other 
backup  procedures  to  process  payroll. 
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Input  Authorization  and 
Reconciliation  Controls 


Input  authorization  controls  verify  all  transactions  have  been  properly 
authorized  and  approved  prior  to  data  entry.   Student  employee  time 
cards  and  payroll  rosters,  which  are  used  to  report  faculty,  staff,  and 
administrative  employee  time  worked,  are  the  source  documents  for 
payroll  input. 

The  HRS  office  acts  as  a  central  processor  over  payroll  transactions 
submitted  by  the  campus  departments.  To  strengthen  authorization 
controls  over  payroll  input,  the  departments  should  follow  controlled 
procedures  for  secured  delivery  of  time  cards  and  rosters  to  HRS. 
Furthermore,  reconciliation  procedures  performed  within  the 
department  could  ensure  payroll  processed  as  intended. 


Student  Employee 
Termination  Procedures 


University  departments  hire  students  and  submit  payroll  information  to 
HRS  to  add  employees  to  the  Banner  system  and  initiate  payroll 
processing.   However,  the  departments  do  not  always  notify  HRS 
when  students  terminate  their  employment.   University  personnel 
policies  require  the  hiring  departments  to  provide  notice  of 
termination. 


To  reduce  the  potential  for  unauthorized  payroll  processing,  the 
University  should  enforce  current  policies  requiring  departments  to 
notify  HRS  of  student  employee  terminations  and  temporarily 
deactivate  accounts. 


Authorization  for  Hiring 
New  Employees 


University  policy  requires  designated  department  management  to 
authorize  new  employee  hires  for  permanent  classified  employees, 
faculty,  administrators,  professionals  and  individuals  on  letters  of 
appointment.   Two  of  fourteen  hiring  authorization  forms  we  reviewed 
were  not  authorized  by  designated  management.  Other  department 
supervisors  approved  the  payroll  forms  instead. 


HRS  maintains  a  list  of  executive  officers,  deans,  and  directors 
designated  to  approve  new  employee  hires.   The  HRS  office  should 
update  the  signature  list  to  help  ensure  controls  over  input  remain  with 
department  employees  authorized  to  approve  transactions. 
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Introduction  and  System 
Background 


We  performed  an  electronic  data  processing  (EDP)  audit  of  The 
University  of  Montana's  Banner  Human  Resource  System.   The  audit 
reviewed  input,  processing,  and  output  controls  over  human  resource 
data  processed  through  Banner.   In  addition,  the  audit  reviewed 
controls  over  electronic  access  and  disaster  recovery  as  related  to  the 
Banner  payroll  application.   The  audit  was  performed  in  coordination 
with  the  Legislative  Audit  Division  Financial  Compliance  biennial 
audit  of  The  University  of  Montana  -  Missoula. 


Banner  is  a  commercially  developed  application  which  operates  on  the 
University's  mainframe.   The  Banner  Human  Resource  System  is 
made  up  of  many  interactive  functions  necessary  for  human  resource 
administration.   The  functions  include  position  control,  applicant 
tracking,  employment  and  compensation  administration,  benefits 
administration,  time  reporting,  payroll  calculation,  and  payroll 
adjustments  and  history.   For  each  function  there  are  numerous 
screens  which  Human  Resource  Service  employees  access  to  view  or 
update  employee  information. 

The  Banner  Human  Resource  System  interfaces  with  the  other  Banner 
modules  purchased  by  the  University,  including  the  Student 
Information  and  Student  Financial  Aid  Systems.   Banner  uses  software 
which  connects  information  between  the  Banner  modules.   For 
example,  student  employee  status  for  payroll  processing  is  verified  by 
checking  the  number  of  student  credits  assigned  to  an  employee  in  the 
Student  Information  System. 

In  May  1998  the  Human  Resource  Services  (HRS)  office  processed 
payroll  transactions  through  Banner  for  4,385  employees  located  in 
128  departments,  programs,  and  offices  throughout  the  Missoula 
campuses.   Total  employees  are  categorized  as  follows:   747  faculty, 
77  administrators,  130  professional,  1,071  classified,  292  temporary 
classified,  and  2,068  students. 

With  the  implementation  of  the  Banner  Human  Resource  System  in 
July  1996,  the  University  delegated  responsibility  for  data  preparation 
and  authorization  to  campus-wide  departments.   Each  department 
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maintains  supporting  documentation  and  initiates  transactions  to  be 
processed  through  the  payroll  system.   The  University  plans  to 
implement  all  Banner  systems,  including  the  Human  Resource  System, 
at  its  other  campuses  (Helena,  Butte,  and  Dillon)  by  calendar  year 
2000. 


Organization  of  Report 


The  report  is  organized  into  two  chapters.  Chapter  I  provides  an 
introduction  and  background  on  the  Banner  Human  Resource  System. 
Chapter  II  addresses  the  audit  findings  related  to  controls  over  the 
Human  Resource  System  and  data  processed  through  the  system. 


Audit  Objectives 


The  objectives  of  this  audit  were  to  evaluate,  conclude,  and  report  on: 

1 .  Controls  over  data  processed  by  the  Banner  Human  Resource 
System.   The  audit  evaluated  data  input  controls,  primary 
processing  functions,  and  the  reliability  of  system  output. 

2.  Electronic  access  controls  and  disaster  recovery  planning  and 
testing. 

3.  Compliance  with  state  law,  federal  regulations,  and  University 
payroll  policies. 


Audit  Scope  and 
Methodology 


The  audit  was  conducted  in  accordance  with  government  auditing 
standards.   We  compared  the  University's  controls  against  criteria 
established  by  the  American  Institute  of  Certified  Public  Accountants, 
United  States  General  Accounting  Office,  and  the  electronic  data 
processing  industry. 


This  audit  evaluated  controls  implemented  by  the  University  over 
Banner  in  selected  areas.   We  reviewed  electronic  access  controls  to 
determine  if  access  privileges  are  granted  according  to  users' 
responsibility  for  entering  transactions,  processing  payroll,  reviewing 
confidential  payroll  data,  and  maintaining  application  software.   We 
also  evaluated  the  HRS  office's  procedures  for  recovery  from  a 
system  failure  in  relation  to  University  disaster  recovery  procedures. 

The  audit  reviewed  policies  and  procedures  in  relation  to  payroll 
input,  processing,  and  output  controls.   For  example,  we  reviewed 
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payroll  preparation  and  submission  procedures  and  data  entry 
performed  by  HRS  personnel.   We  also  performed  tests  over  payroll 
calculations  and  compared  anticipated  results  against  processing  results 
reported  by  the  system. 

Compliance  ^ne  aucut  reviewed  application  processing  for  compliance  with 

University  procedures  and  policies,  and  state  and  federal  laws.   We 
verified  Banner  properly  classifies  income  and  benefits  as  taxable  or 
non-taxable,  and  that  withholding  rates  agree  with  federal  and  state 
law.   We  determined  the  University  to  be  in  compliance  with  laws 
applicable  to  the  processing  of  payroll  as  tested. 
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Introduction 


This  chapter  discusses  audit  issues  we  identified  within  the  Banner 
processing  environment.   We  limited  our  control  work  to  areas 
specifically  related  to  payroll  input,  processing  and  output  functions. 
The  audit  focused  on  manual  and  automated  procedures  over  payroll 
processing  operations  within  the  HRS  office.   We  evaluated  campus- 
wide  procedures  which  ensure  data  submitted  to  HRS  is  valid, 
authorized,  and  agrees  to  processing  results. 


Banner  Human 
Resource  System 
Provides  Accurate 
Processing  Results 


The  Banner  Human  Resource  System  provides  accurate  processing 
results,  based  on  the  information  input  for  processing.   Banner 
accurately  computes  employee  payroll  and  system  reports  are  reliable. 
However,  input  controls  should  be  improved.   Our  audit  findings 
primarily  address  campus-wide  department  procedures  over  payroll 
initiation,  authorization,  and  reconciliation.   In  general,  we  found 
some  departments  do  not  follow  controlled  procedures  for  authorizing 
and  reconciling  payroll. 


The  following  sections  discuss  audit  issues  based  on  review  of  campus- 
wide  payroll  preparation  procedures  and  centralized  input,  processing 
and  output  controls  over  payroll  data. 


Disaster  Recovery 


The  University  has  not  completed  formal  disaster  recovery  procedures 
over  campus-wide  computer  systems.   This  audit  focused  on  payroll 
recovery  procedures  within  the  Human  Resource  Services  office.   We 
found  that  HRS  has  not  established  internal  procedures  to  maintain 
payroll  operations  in  the  event  that  computing  resources  are  lost. 
Without  recovery  procedures,  the  University  may  be  unable  to  process 
payroll  within  required  time  frames  following  loss  of  computer 
resources. 


Prior  EDP  audit  93DP-38  and  follow-up  audit  96DP-03  have 
recommended  the  University  establish  disaster  recovery  procedures 
and  that  the  Board  of  Regents  establish  formal  policies  for 
safeguarding  information  technology  resources  in  accordance  with 
section  20-25-301(16),  MCA.   These  recommendations  are  not 
implemented.   Therefore,  the  HRS  office  should  establish  other 
backup  procedures  to  process  payroll. 
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The  University  anticipates  establishing  campus-wide  recovery 
procedures  once  Banner  is  implemented  at  the  University  campuses 
located  in  Butte,  Dillon,  and  Helena.   Internal  procedures  can  be 
incorporated  into  campus-wide  formal  recovery  procedures  when  the 
University  completes  a  formal  disaster  recovery  plan. 


Recommendation  #1 

We  recommend  the  HRS  office  establish  internal  procedures  to 
process  payroll  operations  in  the  event  that  Banner  automated 
processing  functions  are  unavailable. 


Input  Authorization  and  Input  authorization  controls  verify  all  transactions  have  been  properly 

Reconciliation  Controls  authorized  and  approved  prior  to  data  entry.   Student  employee  time 

cards  and  payroll  rosters,  which  are  used  to  report  faculty,  staff,  and 
administrative  employee  time  worked,  are  the  source  documents  for 
payroll  input.  Student  time  cards  include  daily  hours  worked,  the 
student  signature  and  supervisor  authorization.   The  rosters  report  pre- 
established  pay  period  activity  which  payroll  clerks  from  individual 
departments  update  with  current  pay  period  information.   The 
following  examples  discuss  areas  where  campus  departments  could 
improve  controls  to  ensure  validity  of  authorized  time  input  for 
processing: 

~    Some  campus  departments  allow  students  to  deliver  their  own  time 
cards,  or  individuals  without  payroll  responsibility  to  deliver 
payroll  rosters  after  they  have  been  authorized  by  the  supervisor. 
As  a  result,  the  authorization  control  is  bypassed. 

Unsecured  delivery  of  payroll  input  increases  the  risk  of 
inappropriate  changes  to  recorded  hours  since  HRS  employees 
assume  the  changes  are  made  by  authorized  department  personnel. 
Four  of  fourteen  department  payroll  rosters  reviewed  include 
changes  to  recorded  payroll  data.  Changes  included  adjustments 
to  compensatory  time  and  overtime  hours  earned,  and  direct  time 
charged. 
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—  We  identified  student  time  cards  where  the  supervisor  signed  the 
student  employee's  name.  By  signing  the  student  employee's 
name,  the  supervisor  has  released  the  employee  from 
accountability  for  the  hours  recorded  on  the  time  card.   Because 
the  supervisor  is  also  responsible  for  budget  administration  and  is 
authorized  to  hire  and  terminate  student  employees,  improper 
payroll  transactions  could  be  processed  without  detection. 

—  Two  of  nine  departments  questioned  do  not  reconcile  processed 
payroll  to  the  original  data  submitted  for  input.  Instead,  they  rely 
on  employees  to  report  any  paycheck  errors.  Therefore, 
unauthorized  changes  entered  in  Banner  would  not  be  detected. 

The  HRS  office  acts  as  a  central  processor  over  payroll  transactions 
submitted  by  the  campus  departments.  To  strengthen  authorization 
controls  over  payroll  input,  the  departments  should  follow  controlled 
procedures  for  secured  delivery  of  time  cards  and  rosters  to  HRS. 
Furthermore,  reconciliation  procedures  performed  within  the 
department  could  ensure  payroll  processed  as  intended. 


Recommendation  #2 

We  recommend  The  University  of  Montana  -  Missoula  establish 

policies  over  payroll  input,  authorization,  and  payroll  review 

procedures. 


Student  Employee  The  University  employs  over  4000  students  through  college  work 

Termination  Procedures  study  programs,  graduate  assistance  programs,  and  non-work  study 

positions  each  year.  University  departments  hire  the  students  and 
submit  payroll  information  to  HRS  to  add  employees  to  the  Banner 
system  and  initiate  payroll  processing.   However,  the  departments  do 
not  always  notify  HRS  when  students  terminate  their  employment. 
University  personnel  policies  require  the  hiring  departments  to  provide 
notice  of  termination. 

Since  many  student  employees'  work  schedules  are  sporadic  and 
others  temporarily  terminate  employment,  campus  departments  leave 
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the  student  employee  account  active.  Once  a  year,  student  employee 
accounts  not  showing  payroll  activity  for  the  previous  three  months  are 
deleted.  The  risk  associated  with  leaving  a  terminated  employee's 
account  active,  is  a  time  card  being  processed  before  the  terminated 
employee  account  is  identified.   The  account  would  appear  active 
when  HRS  does  their  annual  review.  The  departments  that  are  not 
reconciling  processed  payroll  to  the  time  submitted  by  employees  will 
not  detect  the  unauthorized  paychecks  for  a  period  of  time. 

To  reduce  the  potential  for  unauthorized  payroll  processing,  the 
University  should  enforce  current  policies  requiring  departments  to 
notify  HRS  of  student  employee  terminations  and  temporarily 
deactivate  accounts. 


Recommendation  #3 

We  recommend  The  University  of  Montana  -  Missoula  enforce 
current  policy  regarding  termination  and  deactivate  student 
payroll  upon  termination. 


Authorization  for  Hiring  University  policy  requires  designated  department  management  to 

New  Employees  authorize  new  employee  hires  for  permanent  classified  employees, 

faculty,  administrators,  professionals  and  individuals  on  letters  of 
appointment.  Two  of  fourteen  hiring  authorization  forms  we  reviewed 
were  not  authorized  by  designated  management.  Other  department 
supervisors  approved  the  payroll  forms  instead. 

Industry  guidelines  suggest  management  establish  procedures  to  ensure 
only  authorized  transactions  be  entered  into  the  system  for  processing. 
HRS  maintains  a  list  of  Executive  Officers,  Deans,  and  Directors 
designated  to  approve  new  employee  hires.   We  found  the  list  was  not 
complete. 

HRS  personnel  processed  these  payroll  transactions  because  they  were 
familiar  with  the  individuals  who  approved  the  forms.   However, 
unless  established  procedures  are  followed,  improper  transaction 
processing  may  occur.   A  complete  authorized  signature  list  will  help 
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ensure  controls  over  input  remain  with  department  employees 
authorized  to  approve  transactions.  The  HRS  office  should  update  the 
signature  list  and  restrict  processing  unless  authorization  is  designated 
according  to  the  signature  list. 

Recommendation  #4 

We  recommend  The  University  of  Montana  -  Missoula: 

A.  Establish  procedures  to  periodically  update  the  authorized 
signature  list;  and, 

B.  Process  new  employee  payroll  transactions  in  accordance 
with  University  policy. 
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15  October,  1998 

Mr.  Scott  A.  Seacat 
Legislative  Auditor 
Legislative  Audit  Division 
Room  135  State  Capitol 
P.  O.  Box  201705 
Helena,  MT  59620-1705 

Dear  Mr.  Seacat: 


I  have  enclosed  The  University  of  Montana  -  Missoula's  response  to  Legislative 
Audit  Division  Banner  Human  Resource  System  EDP  Audit.   We  concur  with  all 
recommendations  and  will  address  them  as  outlined  in  our  response. 

We  appreciate  the  cooperative  efforts  made  by  the  audit  team  and  thank  those 
involved  for  their  assistance.   I  believe  as  we  progress  into  the  next  millennium  we 
all  gain  from  this  proactive  approach  to  reviewing  our  automated  process  and 
procedures 


jUkxmuk&lL 


Enclosure 


K.  Burgmeier,  Director,  Internal  Audit 

V.  S.  Cole,  Vice  President  for  Administration  and  Finance 

R.  Crofts,  Commissioner  of  Higher  Education 
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RECOMMENDATION  #1 

WE  RECOMMEND  THE  HRS  OFFICE  ESTABLISH  INTERNAL  PROCEDURES  TO 
PROCESS  PAYROLL  OPERATIONS  IN  THE  EVENT  THAT  BANNER  AUTOMATED 
PROCESSING  FUNCTIONS  ARE  UNAVAILABLE. 

RESPONSE 

THE  UNIVERSITY  OF  MONTANA  CONCURS  WITH  THE  RECOMMENDATION.  As 

the  University  works  toward  developing  a  realistic  and  practical  disaster  recovery  plan  for  The 
University  of  Montana  campuses,  departments  will  be  advised  to  develop  their  own  interim 
backup  plans.  Human  Resource  Services  personnel,  in  consultation  with  Computing  and 
Information  personnel,  will  develop  alternatives  for  processing  payroll  which  do  not  rely  upon 
the  Banner  automated  processing  function.  A  recommended  alternative  will  be  presented  for 
administrative  approval  by  30  June  1999. 

RECOMMENDATION  #2 

WE  RECOMMEND  THE  UNIVERSITY  OF  MONTANA  -  MISSOULA  ESTABLISH 

POLICIES  OVER  PAYROLL  INPUT,  AUTHORIZATION,  AND  PAYROLL  REVIEW 

PROCEDURES. 

RESPONSE 

THE  UNIVERSITY  OF  MONTANA  CONCURS  WITH  THE  RECOMMENDATION. 

General  departmental  payroll  procedures  will  be  developed  and  distributed  by  1  July  1999.  With 
distribution  of  these  procedures,  Human  Resource  Services  personnel  will  also  provide  training 
to  educate  campus  personnel  responsible  for  payroll  on  the  importance  and  need  for  the  various 
procedures.  Also  starting  1  July  1999,  Human  Resource  Services  will  perform  informal  reviews 
on  various  departments  to  ensure  compliance  with  policies  and  procedures.  Internal  Audit  has 
included  a  payroll  compliance  audit  in  their  Audit  Plan. 

RECOMMENDATION  #3 

WE  RECOMMEND  THE  UNIVERSITY  OF  MONTANA  -  MISSOULA  ENFORCE 
CURRENT  POLICY  REGARDING  TERMINATION  AND  DEACTIVATE  STUDENT 
PAYROLL  UPON  TERMINATION. 

RESPONSE 

THE  UNIVERSITY  OF  MONTANA  CONCURS  WITH  THE  RECOMMENDATION. 

Human  Resource  Services  personnel  will  educate  departmental/office  personnel  on  the 
importance  of  compliance  with  termination  procedures  -  especially  for  students.  Starting  in 
fiscal  year  1999-2000,  quarterly  reports  will  be  sent  to  campus  departments  and  will  require  their 
review  and  verification  of  student  employees. 
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RECOMMENDATION  #4 

WE  RECOMMEND  THE  UNIVERSITY  OF  MONTANA  -  MISSOULA: 

A.  ESTABLISH  PROCEDURES  TO  PERIODICALLY  UPDATE  THE 
AUTHORIZED  SIGNATURE  LIST;  AND 

B.  PROCESS  NEW  EMPLOYEE  PAYROLL  TRANSACTIONS  IN 
ACCORDANCE  WITH  UNIVERSITY  POLICY. 

RESPONSE 

THE  UNIVERSITY  OF  MONTANA  CONCURS  WITH  BOTH  RECOMMENDATIONS. 

As  Human  Resource  Services  personnel  implement  and  train  campus  personnel  on  the  newly 
developed  payroll  processing  procedures  they  will  remind  them  of  all  payroll  policies  and 
procedures.  This  training  will  commence  1  July  1 999.  Human  Resource  Services  personnel  will 
also  give  greater  attention  to  documents  ensuring  authorized  signatures. 
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